Apple looking to get rid of passwords on iphone

[Mike Stay]

https://twitter.com/rmondello/status/1484571223250067456

--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com

[William ML Leslie]

On Sun, 23 Jan 2022, 2:44 pm Mike Stay, <meta...@gmail.com> wrote:

https://twitter.com/rmondello/status/1484571223250067456

Clicked through the thread to read about something called WebAuthn. Have we discussed that? It looks like a decent start, but the question I feel I want an answer to is how do I do three-party auth if credentials are scoped to a hostname...

[John Kemp]

On 1/22/22 23:16, William ML Leslie wrote:
> On Sun, 23 Jan 2022, 2:44 pm Mike Stay, <meta...@gmail.com

> <mailto:meta...@gmail.com>> wrote:
>
> https://twitter.com/rmondello/status/1484571223250067456

> <https://twitter.com/rmondello/status/1484571223250067456>
>
>
> Clicked through the thread to read about something called WebAuthn. Have
> we discussed that?

WebAuthn is based on the work of the FIDO Alliance, which was intended
to be a standards-based answer to Apple's TouchID biometric authN. The
Apple implementation is excellent, as is Google's support for things
like Yubikey (USB-based devices). "Passwordless" authentication is now
actually real.

It looks like a decent start, but the question I feel
> I want an answer to is how do I do three-party auth if credentials are
> scoped to a hostname...

Well, in a way, there are already (at least) three parties in the
WebAuthn flow - the user, her browser, and the website (RP). I suppose
there's also the phone/biometric hardware, which must also be
authenticated in this flow. Which three parties are you thinking of?

This blog goes into some detail about WebAuthn on the iPhone, and
discusses what I consider a bit of an annoyance (although this is a
"standard", support isn't standard across software).

https://www.security-embedded.com/blog/2021/5/2/under-the-hood-webauthn-in-safari

- johnk

>
> --
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cap-talk+u...@googlegroups.com
> <mailto:cap-talk+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/cap-talk/CAHgd1hE9RKfz5xJ5AKN1p489LOAcRRpRve0QeP3fP_Xm1R%3DS9g%40mail.gmail.com
> <https://groups.google.com/d/msgid/cap-talk/CAHgd1hE9RKfz5xJ5AKN1p489LOAcRRpRve0QeP3fP_Xm1R%3DS9g%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Jonathan S. Shapiro]

The outcome of this may be unexpectedly interesting. Retinas and fingerprints are not meaningfully protected from search under the US 5th Amendment. In theory they should be, but in practice they are so easy to collect that ths restriction is frequently ignored by law enforcement during the initial arrest.  A password, pin, or other "something you know" is essential for maintenance of privacy.

Jonathan

To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/51ac9bef-6436-2432-b2f1-f2ec6545104c%40gmail.com.

[Alan Karp]

Indeed.  A few years ago I read an article that said by law you can be required to unlock your device with a fingerprint (this was before FaceID) but not a PIN or password.

--------------
Alan Karp

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QNytfHTwEfJdOt7%2BGFOjPCY7nHmnxT1Gkes-zZmBTj7nA%40mail.gmail.com.

[Mark S. Miller]

Good points. Perhaps this is Apple's way to capitulate to the national security state while saving face? We do not know how much secret pressure they're under.

Besides the legal point, you can also be physically forced to unlock with your body. By contrast, rubber hose attacks do not necessarily succeed at getting someone to divulge their password.

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z1tgbkDeOp_zqF7pxqR8Cxr5XLHyZoDx_QHmEwf7H2J%2Bw%40mail.gmail.com.

--

  Cheers,
  --MarkM